Methods and apparatus are provided for secure function evaluation for a covert client and a semi-honest server using string selection oblivious transfer. An information-theoretic version of a garbled circuit C is sliced into a sequence of shallow circuits C1, . . . Cn, that are evaluated. Consider any wire wj of C that is an output wire of Ci, and is an input wire of Ci+1. When a slice Ci is evaluated, Ci's 1-bit wire key for wj is computed by the evaluator, and then used, via string selection oblivious transfer (SOT), to obtain the wire key for the corresponding input wire of Ci+1. This process repeats until C's output wire keys are computed by the evaluator. The 1-bit wire keys of the output wires of the slice are randomly assigned to wire values.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for secure function evaluation between a client and a server, comprising: obtaining a circuit, C, representing a function, ƒ; preparing slices of said circuit, C, into a sequence of sub-circuits C 1 , . . . C l , wherein each of said sub-circuits C 1 , . . . C l comprises a fan-out-one circuit; executing an oblivious transfer of keys for said sub-circuits C 1 , . . . C l , to said client for evaluation, wherein input keys of one or more of said sub-circuits C 1 , . . . C l , are based on output keys of a prior one of said sub-circuits C 1 , . . . C l , wherein a secret associated with said oblivious transfer is only sent to said client if one of a plurality of allowed selection strings is provided by said client to said server, wherein said allowed selection strings comprise a plurality of bits; and sending one or more output translation tables to said client.
2. The method of claim 1 , wherein said step of preparing slices further comprises the steps of generating output secrets of a given sub-circuit and obtaining corresponding input secrets.
3. The method of claim 2 , wherein said step of obtaining corresponding input secrets applies a Gate Evaluation Secret Sharing (GESS) sharing scheme.
4. The method of claim 2 , wherein said given sub-circuit C i , has input wires u i,j and output wires v i,j , and wherein for each wire v i,j , said server S selects two random output garblings {tilde over (v)} i,j 0 , {tilde over (v)} i,j 1 of length k′>1 (conditioned on {tilde over (v)} i,j 0 ≠{tilde over (v)} i,j 1 ) and computes garblings for each input wire in said given sub-circuit C i .
5. The method of claim 1 , wherein said step of executing said oblivious transfer of keys comprises a transfer of garblings for secure function evaluation for said sub-circuit C 1 .
6. The method of claim 5 , wherein said transfer of garblings for secure function evaluation for said sub-circuit C 1 comprises said server S executing for each client input wire u i,j representing bits of input x of said client C, a 1-out-of-2 oblivious transfer protocol, where S has input values ũ i,j 0 , ũ i,j 1 , and said client C uses input x for said oblivious transfer.
7. The method of claim 5 , wherein said secure function evaluation garblings transfer for said sub-circuit C 1 comprises said server S sending to said client C for each server input wire u 1,j representing bits of input y of said server S, one of input values ũ i,j 0 , ũ i,j 1 , corresponding to input bits of said server S.
8. The method of claim 1 , wherein said step of executing said oblivious transfer of keys for said sub-circuits C 2 , . . . C l , comprises performing said oblivious transfer with server input values ((ũ i,j 0 ⊕r i,j , {tilde over (v)} i−1,j 0 ), (ũ i,j 1 ⊕r i,j , {tilde over (v)} i−1,j 1 )), where r i,j are randomly chosen bitmasks.
9. The method of claim 8 , further comprising the step of sending said r i,j values to said client C.
10. A method for secure function evaluation between a client and a server, comprising: executing an oblivious transfer of keys for a plurality of sub-circuits C 1 , . . . C l , from said server for evaluation, wherein said sub-circuits C 1 , . . . C l are a plurality of information-theoretic garblings of slices of a circuit, C, wherein each of said sub-circuits C 1 , . . . C l comprises a fan-out-one circuit, and wherein input keys of one or more of said sub-circuits C 1 , . . . C l , are based on output keys of a prior one of said sub-circuits C 1 , . . . C l , wherein a secret associated with said oblivious transfer is only received by said client if one of a plurality of allowed selection strings is sent by said client to said server, wherein said allowed selection strings comprise a plurality of bits; evaluating said sub-circuits C 1 , . . . C l using garbled input values to obtain garbled output values; receiving one or more output translation tables from said server; and generating a bit for each output wire of said circuit, C, corresponding to a wire secret obtained in evaluation of said sub-circuit C l .
11. The method of claim 10 , wherein said step of executing said oblivious transfer of keys for said plurality of sub-circuits C 1 , . . . C l , comprises a transfer of garblings for secure function evaluation for a sub-circuit C 1 .
12. The method of claim 10 , wherein said step of executing said oblivious transfer of keys for said sub-circuits C 2 , . . . C l , comprises performing said oblivious transfer with client input values {tilde over (v)} i−1,j ′, where {tilde over (v)} i−1,j ′ comprises an output wire secret of a prior sub-circuit C i−1 .
13. The method of claim 12 , further comprising the step of obtaining ũ i,j 1 ⊕r i,j as an output from a string oblivious transfer routine, SOT k,k′ .
14. The method of claim 13 , further comprising the steps of receiving said r i,j values from said server and computing said ũ i,j ′ values.
15. A server system for secure function evaluation with a client, comprising: a memory; and at least one hardware device, coupled to the memory, operative to: obtain a circuit, C, representing a function, ƒ; prepare slices of said circuit, C, into a sequence of sub-circuits C 1 , . . . C l , wherein each of said sub-circuits C 1 , . . . C l comprises a fan-out-one circuit; execute an oblivious transfer of keys for said sub-circuits C 1 , . . . C l , to said client for evaluation, wherein input keys of one or more of said sub-circuits C 1 , . . . C l , are based on output keys of a prior one of said sub-circuits C 1 , . . . C l , wherein a secret associated with said oblivious transfer is only sent to said client if one of a plurality of allowed selection strings is provided by said client to said server, wherein said allowed selection strings comprise a plurality of bits; and send one or more output translation tables to said client.
16. A client system for secure function evaluation with a server, comprising: a memory; and at least one hardware device, coupled to the memory, operative to: execute an oblivious transfer of keys for a plurality of sub-circuits C 1 , . . . C l , from said server for evaluation, wherein said sub-circuits C 1 , . . . C l are a plurality of information-theoretic garblings of slices of a circuit, C, wherein each of said sub-circuits C 1 , . . . C l comprises a fan-out-one circuit, and wherein input keys of one or more of said sub-circuits C 1 , . . . C l , are based on output keys of a prior one of said sub-circuits C 1 , . . . C l , wherein a secret associated with said oblivious transfer is only received by said client if one of a plurality of allowed selection strings is sent by said client to said server, wherein said allowed selection strings comprise a plurality of bits; evaluate said sub-circuits C 1 , . . . C l using garbled input values to obtain garbled output values; receive one or more output translation tables from said server; and generate a bit for each output wire of said circuit, C, corresponding to a wire secret obtained in evaluation of said sub-circuit C l .
17. A method for executing string-selection oblivious transfer of one or more secrets between a server and a client, wherein said server holds two pairs of secrets (x 0 , r 0 ), (x 1 , r 1 ), wherein x 0 and x 1 comprise k-bit strings and wherein r 0 and r 1 comprise k′-bit strings, and wherein r 0 ≠r 1 , said method comprising: encrypting said secret x 0 with a key s 0 , and said secret x 1 with a key s 1 to provide two encryptions e 0 and e 1 , wherein said keys s 0 and s 1 are chosen randomly; participating in oblivious transfer with said client by executing k′ standard oblivious transfers, two oblivious transfer input secrets of said server being the two corresponding i-th secret-shares of keys s 0 and s 1 , wherein the secret sharing of s 0 and s 1 takes into account two server input values r 0 and r 1 ; and sending said two encryptions e 0 and e 1 to said client if said client successfully reconstructed one of said two keys s 0 and s 1 .
18. The method of claim 17 , further comprising the step of S outputing an empty string λ if r=r i and said client did not deviate from a protocol.
19. The method of claim 17 , further comprising the step of outputing an error symbol ⊥ if r≠r i or if said client deviated from a protocol.
20. A method for performing oblivious transfer of one or more secrets between a server and a client, wherein said client holds a k-bit selection string r, said method comprising: participating in said oblivious transfer with said server by executing k′ standard oblivious transfers, wherein an i-th oblivious transfer is executed with a client selection bit corresponding to an i-th bit of an input selection string r; reconstructing an encryption key corresponding to said selection string r; providing to said server an indication of a successful reconstruction of one of two keys s 0 and s 1 ; receiving two encryptions e 0 and e 1 ; and decrypting one of said two encryptions e 0 and e 1 to obtain one of (x 0 , x 1 ), according to said selection string r.
21. The method of claim 20 , further comprising the step of outputing an error symbol ⊥ if r≠r i or if said client deviated from a protocol.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
July 31, 2012
March 24, 2015
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.